GFI EventsManager 2010 Manual

(1)

GFI EventsManager 2010

Manual

(2)

(3)

http://www.gfi.com [email protected]

This manual was produced by GFI Software Ltd. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be

reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of GFI Software Ltd.

(4)

(5)

List of tables

Table 1 - Ports used by GFI EventsManager 15

Table 2 - Firewall permissions to enable 16

Table 3 - Quick Launch Console options 34

Table 4 - Event source group options 62

Table 5 - Synchronization properties - General tab 64

Table 6 - Example of synchronizations 64

Table 7 – Auditing options 74

Table 8 - Rule-set folders available in GFI EventsManager 111 Table 9 - Parameters available in the Event ID field 135 Table 10 - Parameters available in the Source, Category and User fields 135 Table 11 - Parameters available in the Message and Process fields 135 Table 12 - Move to database - Rollover options 183

(10)

(11)

List of screenshots

Screenshot 1 - The GFI EventsManager management console 9 Screenshot 2 - Customer and License detail screen 18

Screenshot 3 - Logon information screen 19

Screenshot 4 - Windows event log 22

Screenshot 5 - Database backend alert displayed on Quick Start Dialog 25 Screenshot 6 - Database Options - Change database tab 26 Screenshot 7 – SQL Server Management – Logins folder 27 Screenshot 8 – SQL Server Management – Login Properties dialog 28

Screenshot 9 - Quick Start Dialog 29

Screenshot 10 - Events processed from local machine 30 Screenshot 11 - Select the type of event source 31

Screenshot 12 - Select computers from result 32

Screenshot 13 - Process events from selected machines 33 Screenshot 14 - GFI EventsManager Quick Launch Console 34 Screenshot 15 - GFI EventsManager: Events Browser 37 Screenshot 16 - Event details provided in the Events Browser 38

Screenshot 17 – Configure auto-refresh 39

Screenshot 18 - Selecting a filter 40

Screenshot 19 - GFI EventsManager: Events Browser 41

Screenshot 20- Custom query builder 42

Screenshot 21 – Query builder for an existing query 43 Screenshot 22 – Create new query using the query builder 44 Screenshot 23 - Default and custom event queries 45

Screenshot 24 – Color coding configuration 45

Screenshot 25 - Assigning event color-codes 46

Screenshot 26 - Advanced Color Filter 47

Screenshot 27 - Event finder tool 48

Screenshot 28 - Export events tool 49

Screenshot 29 - Customize view: columns 49

Screenshot 30 - Customize view 50

Screenshot 31 - Backup events dialog box 51

Screenshot 32 – Add a new database from the switch database dialog 52

Screenshot 33 - Clear all events dialog box 53

Screenshot 34 – Daily Digest email settings 56

Screenshot 35 – Daily digest email 57

Screenshot 36 – Downloading GFI EventsManager ReportPack 58 Screenshot 37 - Launching the GFI EventsManager ReportPack 59 Screenshot 38 - GFI EventsManager ReportPack console 59

Screenshot 39 - Add new event source group 62

Screenshot 40 - Synchronization properties - General tab 64 Screenshot 41 - Synchronization properties - Exclusion tab 65 Screenshot 42 - Synchronization properties -Schedule tab 66 Screenshot 43 - Configuration wizard: Specify the computers that will be

monitored 67

Screenshot 44 – Browse the network for connected computers 68

(12)

Screenshot 46 - Event sources properties dialog 70 Screenshot 47 - Configuring alternative logon credentials 71

Screenshot 48 - Specify operational time 72

Screenshot 49 - GFI EventsManager audit 74

Screenshot 50 - Event-processing configuration tabs 75 Screenshot 51 - Creating a new SQL Server group 76

Screenshot 52 - Database Servers Groups 77

Screenshot 53 - Add a new Microsoft SQL Server 77 Screenshot 54 - Select Microsoft SQL Server(s) 78

Screenshot 55 - Database Servers Groups 78

Screenshot 56 - „SQL Servers‟ Group 79

Screenshot 57 - Microsoft SQL Server group properties 80 Screenshot 58 - The SQL Server Group properties dialog 81 Screenshot 59 - Event generated by GFI LANguard 82 Screenshot 60 - GFI EventsManager General Status view: Critical and High

importance events 83

Screenshot 61 - Event generated by GFI EndPointSecurity 85 Screenshot 62 - Rule-sets folder and Rule-sets 88 Screenshot 63 - Log processing, classification and actions flowchart 89 Screenshot 64 - Computer group properties: Configuring logs to be processed 90 Screenshot 65 - Computer group properties: Configuring Windows Event Logs

parameters 91

Screenshot 66 - Selecting the events to be collected 92 Screenshot 67 - Computer group properties: Configuring W3C event processing

parameters 94

Screenshot 68 – Add a new W3C folder path 94

Screenshot 69 - Computer group properties: Syslog processing parameters 95

Screenshot 70 - Configuring Syslog Server 97

Screenshot 71- Syslog server properties 98

Screenshot 72 - Computer group properties: SNMP processing parameters 100

Screenshot 73 - Configuring SNMP Traps 101

Screenshot 74- SNMP Traps options 102

Screenshot 75 - Custom event logs setup 103

Screenshot 76 - Custom event logs dialog 104

Screenshot 77 - List of custom events 105

Screenshot 78 - Archiving events after processing 105

Screenshot 79 – Configure file folder 107

Screenshot 80 - Computer group properties: Configuring Windows Event Logs

parameters 108

Screenshot 81 - Selecting event processing rules/rule-sets 108 Screenshot 82 - Triggering log collection manually 110

Screenshot 83 - The log type drop-down list 112

Screenshot 84 - New rule-set dialog box 113

Screenshot 85 - Selecting log-type from the provided drop-down 114 Screenshot 86 - GFI EventsManager: Select the Log(s) 115 Screenshot 87 - GFI EventsManager: Select the filtering conditions 115 Screenshot 88 - New processing rule wizard: Select event occurrence and

importance 116

Screenshot 89 - New processing rule wizard: Select action 117 Screenshot 90 - New processing rule wizard: Select W3C Log 118 Screenshot 91 - New processing rule wizard: Configure filtering conditions. 119

Screenshot 92 – Edit filter rules 119

Screenshot 93 - New processing rule wizard: Select event occurrence and

importance 120

(13)

Screenshot 95 - New processing rule wizard: Configure Conditions 122 Screenshot 96 - New processing rule wizard: Select event occurrence and

importance 122

Screenshot 97 - New processing rule wizard: Select action 123 Screenshot 98 - New processing rule wizard: Configure Conditions 124 Screenshot 99 - New processing rule wizard: Select event occurrence and

importance 125

Screenshot 100 - New processing rule wizard: Select action 126 Screenshot 101 - New processing rule wizard: Configure Conditions 127 Screenshot 102 - New processing rule wizard: Select event occurrence and

importance 128

Screenshot 103 - New processing rule wizard: Select action 129

Screenshot 104 – Create rule from event 130

Screenshot 105 – New Rule dialog 131

Screenshot 106 –Updated conditions for the selected rule 132 Screenshot 107 – Edit an existing custom rule 133 Screenshot 108 - Log processing rule properties 134

Screenshot 109 - Available field operators 136

Screenshot 110 - Configuring default classification actions 138 Screenshot 111 - Default classification actions screen 139 Screenshot 112 - Configuring alerting options 140

Screenshot 113 - Alerting options dialog 141

Screenshot 114- Mail server properties dialog box 142

Screenshot 115- Format mail message 143

Screenshot 116 - Alerting Options: Network dialog box 143 Screenshot 117 - Alerting Options: SMS dialog box 144 Screenshot 118 - Alerting Options: SNMP dialog box 145 Screenshot 119 - Configuring users and groups node 146 Screenshot 120 - Configuring the default EventsManagerAdministrator account 147 Screenshot 121 - EventsManager Administrator properties 148 Screenshot 122 - Configuring the typical working hours of an alert recipient 149 Screenshot 123 - Selecting alerts to be sent during and outside working hours 150 Screenshot 124 - Notification groups to which a user belongs 151 Screenshot 125 - Configuring GFI EventsManager administrator privileges 152 Screenshot 126 - GFI EventsManager new user privileges 153 Screenshot 127 - Groups configuration screen 154

Screenshot 128 - New groups setup 155

Screenshot 129 - Select the login options feature 156

Screenshot 130 - Login options dialog 157

Screenshot 131 - Login window 158

Screenshot 132 - Select the Audit options feature 159

Screenshot 133 - Audit Options 160

Screenshot 134 - Auto-discovery credentials 161

Screenshot 135 - Dashboard View Options 163

Screenshot 136 - GFI EventsManager status: General view 164 Screenshot 137 - GFI EventsManager General Status view: Service Status 164 Screenshot 138 - GFI EventsManager General Status view: Important logon

events 165

Screenshot 139 - GFI EventsManager General Status view: Critical and High

importance events 166

Screenshot 140 - GFI EventsManager General Status view: Service Status 167 Screenshot 141 - GFI EventsManager Backup logs 168 Screenshot 142 - GFI EventsManager General Status view: Services Status 168 Screenshot 143 - GFI EventsManager General Status view: Network Activity 169 Screenshot 144 - GFI EventsManager Job Activity view 170

(14)

Screenshot 145 - GFI EventsManager Job Activity view: Active Jobs 171 Screenshot 146 - GFI EventsManager Job Activity view: Queued Jobs 171 Screenshot 147 - GFI EventsManager Job Activity view: Server Message History 171 Screenshot 148 - GFI EventsManager Job Activity view: Operational History 172 Screenshot 149 - GFI EventsManager Job Activity view: Job activity status 172 Screenshot 150 - GFI EventsManager Statistics view 173 Screenshot 151 - GFI EventsManager Statistics view: Events Count For Today 173 Screenshot 152 - GFI EventsManager Statistics view: Events count by log type 174 Screenshot 153 - GFI EventsManager Statistics view: Activity Overview 174 Screenshot 154 - Configuring Database Operations 177 Screenshot 155 - Database Operations Options dialog: GFI EventsManager

unique identifier 178

Screenshot 156 - Database Operations Options dialog: Scheduling options 179 Screenshot 157 - New job wizard: Job Type dialog 180 Screenshot 158 - Data filter dialog: Specifying data filter conditions 181 Screenshot 159 - Specify when the job will be executed 182 Screenshot 160 - New job wizard: Move to database 183 Screenshot 161 - New job wizard: Export to file 184 Screenshot 162 - New job wizard: Export to file using encryption 185 Screenshot 163 - New job wizard: Import from file 186 Screenshot 164 - New job wizard: Import from file decryption 187 Screenshot 165 - New job wizard: Delete data 188

Screenshot 166 - Data filter dialog 189

Screenshot 167 - Creating a filter for Windows events: Edit filter dialog 190

Screenshot 168 - Advanced Filter settings 191

Screenshot 169 - Viewing scheduled maintenance jobs 192

Screenshot 170 - Job activity status 192

Screenshot 171 - Editing a maintenance job 193

Screenshot 172 - Example dialog to edit a scheduled job 194

Screenshot 173 - Maintenance job priorities 195

Screenshot 174 – Firewall rules on Microsoft Windows XP 198 Screenshot 175 - Local security policy window 199 Screenshot 176 – Audit object access Properties 200 Screenshot 177 – Audit process tracking Properties 201 Screenshot 178 – Audit account management properties 202 Screenshot 179 – Audit system events properties 203 Screenshot 180 – Allowed programs in Microsoft Windows Vista or later 204 Screenshot 181 - Local security policy window 205 Screenshot 182 – Audit object access Properties 206 Screenshot 183 – Audit process tracking Properties 207 Screenshot 184 – Audit account management properties 208 Screenshot 185 – Audit system events properties 209 Screenshot 186 – Enable firewall rules in Microsoft Windows Server 2003 210 Screenshot 187 – Firewall rules on Microsoft Windows Server 2008 212 Screenshot 188 – Domain Policy console in Microsoft Windows Server 2003 213 Screenshot 189 – Group Policy Management in Microsoft Windows Server 2008

R2 214

Screenshot 190 – Group Policy Management Editor 215

Screenshot 191 – Predefined rules 216

Screenshot 192 – Predefined rules 217

Screenshot 193 - Update license key 222

(15)

1 Introduction

1.1 About this manual

This manual is structured in line with the logical chain of configuration operations required to get GFI EventsManager up and running.

Chapter Description

Chapter 1 Introduction

An overview of this manual and how GFI EventsManager works. Chapter 2 Installation

Describes how to install GFI EventsManager, including system requirements, pre-install actions required and how to upgrade from previous versions. Chapter 3 Getting Started

Shows how to configure GFI EventsManager for first time use, including how to configure the database backend and how to process event logs for the first time.

Chapter 4 Event browsing

Explains how to use the built-in events browser to analyze events stored in the GFI EventsManager database backend, including:

 Default event log queries and custom query builder  Event color-coding

 Event finder tool. Chapter 5 Generating reports

Describes how to enable the GFI EventsManager ReportPack to create reports that further analyze the events stored in the GFI EventsManager database backend. In addition describes how to configure a user to receive GFI EventsManager Daily Digest email.

Chapter 6 Manage event sources

Shows how to customize the event sources to be monitored. Chapter 7 Using event processing rules

Explains how to use event processing rules. Chapter 8 Manage rule-sets

Describes how to create, edit and delete event processing rules. Chapter 9 Customizing alerts and actions

Shows how to set the alerts and actions that will be triggered on particular events.

(16)

2  Introduction GFI EventsManager manual

Chapter Description

Chapter 10 Configuring users and groups

Explains how to configure alert recipient parameters including:  Personal details such as mobile phone number

 Normal working hours

 Type of alerts that will be sent to every recipient. Chapter 11 Status monitoring

Describes how to analyze the status of GFI EventsManager as well as view statistical information and processed events.

Chapter 12 Database Operations

Explains how to centralize events collected by other remote GFI EventsManager instances and how to optimize database backend performance.

Chapter 13 Miscellaneous

Describes miscellaneous options such as permissions, command line operations and licensing.

Chapter 14 Troubleshooting

Explains what main sources of information are available to help administrators troubleshoot product issues.

Chapter 15 Glossary

Defines technical terms used within GFI EventsManager.

1.2 Conventions used in this manual

The following table contains a description of the common terms and conventions used in this manual:

Term Description

Additional information and references essential for the operation of GFI EventsManager.

Important notifications and cautions regarding potential issues that are commonly encountered.

► Step by step navigation instructions to access a function.

Bold text Indicate a control within the user interface, such as nodes, menus and buttons. <Italic text> Replace text within angle brackets. Such as file paths and custom parameters.

For any technical terms and their definitions as used in this manual, refer to Glossary

(17)

1.3 About GFI EventsManager

Figure 1 - GFI EventsManager integrates into any existing IT infrastructure

GFI EventsManager is a results oriented event log management solution which integrates into any existing IT infrastructure, automating and simplifying the tasks involved in network-wide events management.

Through the features supported by GFI EventsManager you can:

 Automatically collect W3C, Syslog, SNMP Traps and Windows events from network devices and Windows/Linux/Unix based systems and manage them through one console.

 Archive collected events in a centralized SQL Server based database backend for future analysis and forensic studies.

 Automatically transfer events from the database to external files.

 Filter unwanted events and classify key events through the use of powerful default or custom-built event processing rules.

 Automate alerting and remedial actions such as the execution of scripts and files on key events.

 Monitor your network activity and the status of your GFI EventsManager scanning engine through a built-in graphical dashboard.

(18)

4  Introduction GFI EventsManager manual  Analyze events through a built-in events browser as well as export these events

to CSV files for further processing and report customization.

 Simplify event forensics through specialized tools which include a built-in event query builder, an event finder tool and an event color-coding tool.

 Increase event processing power through a high-performance event scanning engine.

 Generate, schedule as well as email event activity and trend reports through GFI EventsManager ReportPack - the powerful reporting companion tool which ships by default with GFI EventsManager.

 Monitor the operational health status of your SQL Servers in real-time by processing the activity logs/messages generated by day-to-day SQL Server operations.

1.4 Key Features

Extended event log support

GFI EventsManager is able to process various event log types including Windows Event Logs, W3C logs, Syslog and SNMP Trap messages. This allows you to collect more data from the different hardware and software systems that are most commonly available on a typical corporate network. For a summary list of hardware and

software systems that are supported by GFI EventsManager out of-the-box refer to:

http://kbase.gfi.com/showarticle.asp?id=KBID003302. Rule-based event log management

GFI EventsManager ships with a pre-configured set of event processing rules that allow you to filter and classify events collected from a variety of event-log sources. You can run these default rules without performing any configuration or you can choose to customize these rules or create tailored ones that suite your network infrastructure. For a list of event-log sources that can be processed by GFI Events out-of-the-box refer to:

http://kbase.gfi.com/showarticle.asp?id=KBID002868. Event log scanning profiles

GFI EventsManager allows you to organize event log scanning rules into Scanning Profiles. In a scanning profile, you can configure the set of event log monitoring rules that will be applied to a specific computer or group of computers. The benefits of these profiles include:

 The simplification product administration tasks by providing a centralized way of tuning event processing rules.

 Allowing administrators to create different sets of event log rules that suit the roles of scanned event sources and the corporate network environment. For

(19)

example, you can setup a set of rules which apply only to workstations in a particular department.

Allow granular configuration of rules

Administrators can create an event processing profile that is generic for all computers and a number of separate profiles which complement the generic profile by providing additional and more specialized event log rules on a computer by computer basis.

Translates cryptic Windows events

One major drawback of Windows Event Logs is that they are not user friendly - too cryptic for the user to understand. In fact this is one of the main reasons why only few administrators really peer into Windows Event Logs. GFI EventsManager overcomes this problem by translating event descriptions into a way that is more users friendly and easier to understand.

Enhanced event scanning engine

GFI EventsManager includes an event scanning engine that has been tuned to effectively speed up event scanning for maximum performance. This engine adopts a plug-in based concept that allows the plugging-in of additional features/modules without having to perform physical changes to the existing code - hence more stability without effecting scalability.

Automatic noise reduction

GFI EventsManager identifies and removes unwanted event data (such as noise and background process generated events) providing you with only the relevant, usable data. Hence facilitates event forensics by reducing the amount of events to be analyzed.

Enhanced real-time actions

GFI EventsManager can generate alerts or trigger actions such as script execution when key events are detected. You can alert one or more people in various ways including: email, network messages, and SMS notifications sent through an email-to-SMS gateway or service. Actions can be configured to trigger on event classification or by configuring specific conditions in event processing rules.

Advanced event filtering features

GFI EventsManager ships with a number of event filtering features including:  Pre-configured event queries and a custom event query builder: The

pre-configured event queries allow you to sift event log data and browse only the required events - without deleting any records from your database backend. The built-in event query builder allows you to create your own custom event queries.

(20)

6  Introduction GFI EventsManager manual  Event color-coding capabilities: Through this feature you can selectively color

particular events in specific colors. This way during log browsing you can easily identify important events through their color.

 Event finder tool: With this tool you can quickly locate important events by providing specific search criteria such as event type.

Event centralization

GFI EventsManager enables you to monitor and manage events generated by Windows\Linux\Unix systems, network devices and software applications through a single user console.

User access privileges

GFI EventsManager allows you to assign management console access privileges on a user-by-user basis. This means that you can allow specific users to access the GFI EventsManager console for event-browsing only and at the same time allow other more privileged users to access and change the GFI EventsManager configuration settings.

SQL Server audit

GFI EventsManager allows you to automatically monitor the operational health status of your SQL Servers. This is achieved by processing in real-time the activity

logs/messages generated by day-to-day SQL Server operations. SQL server activity that is monitored includes server startup, login activity, backups, server-side traces and more. Additionally, GFI EventsManager can also alert you via email, network or SMS notifications on key events like server shutdown and consecutive failed logins.

Database operations (WAN Connector)

The Database Operations module allows you to collect events data from GFI

EventsManager installations on multiple sites and locations across your network into a central database. This add-on integrates and centralizes events collected and processed and allows you to backup/restore events on demand. Through Database Operations you can manage the size of the database - without the need for manual intervention - not only through centralization but by also being able to export events and back them up as needed.

Management Information Base

Management Information Base (MIBs) contain definitions and device information that are provided by device manufacturers. GFI EventsManager ships with MIB definitions for the following vendors: Cisco, 3Com, IBM, HP, Check Point, Alcatel, Dell, Netgear, SonicWall, Juniper Networks, Arbor Networks, Oracle, Symantec, Allied Telesis and others. GFI EventsManager also allows you to edit the MIB tree.

(21)

1.5 How does GFI EventsManager work?

Figure 2 - The GFI EventsManager operational stages

The operational functionality of GFI EventsManager is divided into 2 stages:  Stage 1: Event Collection

(22)

8  Introduction GFI EventsManager manual  Stage 2: Event Processing

A description of every stage is provided below.

Stage 1: Event Collection

During the Event Collection stage, GFI EventsManager collects logs from specific event sources. This is achieved through the use of 2 event collection engines: The Event Retrieval Engine and the Event Receiving Engine.

The Event Retrieval Engine - The Event Retrieval Engine is used to collect

Windows Event Logs and W3C logs from networked event sources. During the Event Collection process this engine will:

1. Log-on to the event source(s) 2. Collect events from the source(s)

3. Send collected events to the GFI EventsManager Server 4. Log-off from the event source(s).

The Event Retrieval Engine collects events at specific time intervals. The event collection interval is configurable from the GFI EventsManager management console. The Event Receiving Engine - The Event Receiving Engine acts as a Syslog and an SNMP Traps server; it listens and collects Syslog and SNMP Trap

events/messages sent by various sources on the network. As opposed to the Event Retrieval Engine, the Event Receiving Engine receives messages directly from the event source; therefore it does not require to remotely log-on to the event sources for event collection. Further to this, Syslog and SNMP Trap events/messages are

collected in real-time and therefore no collection time intervals need to be configured. By default, the Event Receiving Engine listens to Syslog messages on port 514 and to SNMP Trap messages on port 162. Both port settings are however customizable via the GFI EventsManager management console.

Stage 2: Event Processing

During this stage, GFI EventsManager will run a set of Event Processing Rules against collected events. Event Processing rules are instructions that:

 Analyze the collected logs and classify processed events as Critical, High, Medium, Low or Noise (unwanted or repeated events)

 Filter events that match specific conditions

 Trigger email, SMS and network alerts on key events

 Trigger remediation actions such as the execution of executable files or scripts on key events

(23)

GFI EventsManager can be configured to archive events without running Event Processing rules. In such cases, even though no rules will be applied against collected logs, archiving will still be handled by the Event Processing stage. After processing the rules, GFI EventsManager can be configured to store the collected events in a storage folder. The administrator can configure the path of the storage folder and configure which events are stored. This function will minimize database growth, and allows the administrator to store only important events in the database.

Some of the key modules in GFI EventsManager must run under

administrative privileges. For more information on these modules refer

to: http://kbase.gfi.com/showarticle.asp?id=KBID001122.

1.6 Navigating the GFI EventsManager management console

Screenshot 1 - The GFI EventsManager management console

Section Description

Status option - Use this option to view the status of GFI EventsManager and statistical

information on processed logs.

Configuration option - Use this option to access and configure the main event

processing options.

Events Browser - Use this option to browse the events stored in the GFI

(24)

10  Introduction GFI EventsManager manual

Section Description

Reporting - Use this option to download and install the GFI EventsManager ReportPack.

General options - Use this option to check for product updates, as well as view version

and licensing details.

Tab options - Use the Tab options to access and configure GFI EventsManager

operational parameters.

Group Type - Use this drop-down to switch between event log source groups (i.e.

Computer and Database Servers Groups).

Left pane - Use this pane to navigate through the additional configuration options

provided in GFI EventsManager.

(25)

2 Installation

2.1 Introduction

Where can I install GFI EventsManager on my network?

GFI EventsManager can be installed on any computer which meets the minimum system requirements irrespective of the location on your network.

Use GFI EventsManager to manage the events generated:  On the same computer where it is installed

 On all the computers that are reachable from the computer on which it is installed.

Figure 3 - GFI EventsManager deployment scenario GFI EventsManager can be deployed:

1. Within your network to monitor the activity of internal servers and workstations/end points.

(26)

12  Installation GFI EventsManager manual

2.1.1 Deployment of GFI EventsManager on a local area network

GFI EventsManager can be deployed on Windows based networks as well as on mixed environments where Linux and UNIX systems are being used as well.

Figure 4 - Deployment of GFI EventsManager on LAN

When installed on a Local Area Network (LAN) GFI EventsManager can manage Windows events, W3C event logs, Syslog messages, SNMP Trap and SQL Server audit messages generated by any hardware or software that is connected to the LAN, including:

 Workstations and Servers (e.g. Apache web-servers)  Network appliances (e.g. Cisco PIX firewalls)

 Third party software (e.g. GFI EndPointSecurity)

 Specialized Services (e.g. Microsoft Internet Information Server - IIS)  PABXs, Keyless Access Systems, Intrusion detections systems, etc.

When installed on a LAN, GFI EventsManager can also be used to collect events from hardware and software systems deployed on a Demilitarized Zone (DMZ). Since a firewall or a router usually protects this zone with network traffic filtering

capabilities, you must make sure that:

1. The communication ports used by GFI EventsManager are not blocked by the firewall. For more information on the communication ports used by GFI

EventsManager refer: http://kbase.gfi.com/showarticle.asp?id=KBID002770.

2. That GFI EventsManager has administrative privileges over the computers that are running on the DMZ.

(27)

2.1.2 Deployment of GFI EventsManager on a demilitarized zone

Figure 5 - The DMZ sits between the internal LAN and the Internet

GFI EventsManager can also be deployed on a Demilitarized Zone (DMZ). This is the neutral network which sits between the “internal” corporate network and the “outside world” (i.e. the internet). The deployment of GFI EventsManager on a DMZ helps you automate the management of events generated by DMZ hardware and software systems.

Automate management of Web and Mail server events

DMZ networks are normally used for the running of hardware and software systems that have internet specific roles such as HTTP servers, FTP servers, and Mail servers.

Hence, you can deploy GFI EventsManager to automatically manage the events generated by:

 Linux/Unix based web-servers including the W3C web-logs generated by Apache web-servers on LAMP web platforms.

 Windows based web-servers including the W3C web-logs generated by Microsoft Internet Information Servers (IIS).

 Linux/Unix and Windows based mail-servers including the Syslog auditing services messages generated by Sun Solaris v. 9 or later.

(28)

14  Installation GFI EventsManager manual Automate management of DNS server events

If you have a public DNS server, there‟s a good chance that you are running a DNS server on the DMZ. Hence you can use GFI EventsManager to automatically collect and process DNS server events including those stored in your Windows‟ DNS Server logs.

Automate management of network appliance events

Routers and firewalls are two network appliances commonly found in a DMZ.

Specialized routers and firewalls (e.g. Cisco IOS series routers) not only help protect your internal network, but provide specialized features such as Port Address

Translation (PAT) that can augment the operational performance of your systems. By deploying GFI EventsManager on your DMZ, you can collect the events

generated by such network appliances. For example, you can configure GFI EventsManager to act as a Syslog Server and collect in real-time the Syslog messages generated by Cisco IOS routers.

2.2 Hardware requirements

 Processor: 2.5 GHz dual core or higher  RAM: 2048 MB

 Hard disk: 10 GB of available space

Hard disk size depends on your environment, the size specified in the requirements is the minimum required to install and archive events.

2.3 Software requirements

Software requirements - Installation machine(s) Supported Operating Systems

 Windows Server 2008 - Standard or Enterprise (x86 or x64)  Windows Server 2008 R2 - Enterprise

 Windows Server 2003 (SP2) - Standard or Enterprise (x86 or x64)  Windows 2000 (SP4) - Server or Advanced Server

 Windows 7 - Enterprise, Professional or Ultimate (x86 or x64)  Windows Vista - Enterprise, Business or Ultimate (x86 or x64)  Windows XP - Professional (x86 or x64)

 Windows SBS 2008  Windows SBS 2003

(29)

Other components

 .NET framework 2.0 Service Pack 2 or later.

 Microsoft Data Access Components (MDAC) 2.8 or later

Microsoft Data Access Components (MDAC) 2.8 can be downloaded from

http://www.microsoft.com/Downloads/details.aspx?familyid=6C050FE3-C795-4B7D-B037-185D0506396C&displaylang=en

 (Optional) A mail server (If email alerting is configured)

 Microsoft SQL Server 2005 or later (including Microsoft SQL Express edition) for events archiving.

Microsoft SQL server must have TCP port 1433 open to store events collected by GFI EventsManager. For more information, refer to

http://support.microsoft.com/kb/287932

Software requirements - Scanned machine(s)  For Microsoft Windows event log scanning:

o Remote registry service must be enabled.  W3C log scanning:

o The source folders must be accessible via Windows shares.  Syslog and SNMP Traps:

o Sources/senders must be configured to send messages to the computer/IP address where GFI EventsManager is installed.

2.4 Other requirements

2.4.1 Ports and permissions that must be enabled

Ports used by GFI EventsManager

Table 1 below describes the ports used by GFI EventsManager to process and collect events from target computers.

Table 1 - Ports used by GFI EventsManager

Port Protocol Description

135 UDP and TCP Target machines use this port to publish information regarding available dynamic ports. GFI

EventsManager uses this information to be able to communicate with the target machines.

139 and 445 UDP and TCP Used by GFI EventsManager to retrieve the event log descriptions from target machines.

(30)

16  Installation GFI EventsManager manual

Port Protocol Description

162 UDP and TCP Used by GFI EventsManager to receive SNMP traps. Ensure that this port is open on the machine where GFI EventsManager is installed

514 UDP and TCP Used by GFI EventsManager to receive SYSLOG messages.

1433 UDP and TCP Used by GFI EventsManager to communicate with the SQL Server database backend. Ensure that this port is enabled on Microsoft SQL Server and on the machine where GFI EventsManager is installed.

7787 and 7788 UDP and TCP RPC ports used by GFI EventsManager to handle the communications between the internal

components of the product including the event processing engine and the user interface. Ensure that these ports are open on the machine where GFI EventsManager is installed.

Firewall permissions that must be enabled

When using Microsoft Windows firewall, ensure that all the firewall permissions and policies listed in Table 2 below, are enabled on all target machines.

Table 2 - Firewall permissions to enable

Firewall permissions and Audit policies Microsoft Windows Server 2008 Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Remote Event Log Management Enable Not applicable Not

applicable Enable Enable File and Printer

sharing Enable Enable Enable Enable Enable Network

discovery Enable

Not applicable

Not

applicable Enable Enable Audit policy:

Object access Enable

Not applicable

Not

Process tracking Enable

Not applicable

Not

Audit account management

Enable Enable Enable Enable Enable Audit policy:

Audit system events

Enable Enable Enable Enable Enable

For more information how to set permissions refer to the following sections:

 To apply settings manually on each target machine refer to Enabling permissions on target computers manually

(31)

 To apply settings automatically on target computers using Microsoft Active

Directory GPO, refer to Setting permissions on target computers automatically via GPO.

2.4.2 Microsoft Windows Vista and Microsoft Windows 7

Microsoft Windows Vista and Microsoft Windows 7 introduced extensive structural changes in event logging and event log management. The most important of these changes include:

 A new XML-based format for event logs. This provides a more structured approach to reporting on all system occurrences.

 Event categorization in four distinct groups: Administrative, Operational, Analytic and Debug

 A new file format (evtx) that replaces the old evt file format.

Due to these changes, to collect and process event logs from Microsoft Windows Vista or later, GFI EventsManager must be installed on a system running Microsoft Windows Vista or later. (For example, GFI EventsManager cannot be installed on Microsoft Windows XP to monitor events on Microsoft Windows 7 machines).

Windows XP events can be collected when GFI EventsManager is installed on Microsoft Windows Vista or later machines.

When GFI EventsManager is using a non-domain account to collect events from Microsoft Vista machines or later, target machines must have User Account Control (UAC) disabled. For more information on how to disable UAC, refer to Disable UAC to scan target machines section in this manual.

2.5 Upgrading from a previous version

Upgrading from version 8.x and retaining configuration settings is fully supported . Upgrading from version 7.x is possible but all configuration settings will be lost. Upgrading from versions older than version 7 is not possible due to the underlying operational and processing technology subsystems which are different from the current version of GFI EventsManager. You will still however be able to run an older (pre-version 7) version of GFI EventsManager on the same machine on which a newer version of GFI EventsManager is installed since there are no conflicts between the older and the newer versions.

2.6 Installation procedure

GFI EventsManager includes an installation wizard which will assist you through the installation process. To start the installation:

1. Close all running applications and log-on the target computer using an account which has local administrative privileges.

(32)

18  Installation GFI EventsManager manual If an older version of GFI EventsManager is detected, the wizard will enable you to retain or delete the GFI EventsManager configuration settings.

If any pre-requisites are missing, the wizard will enable you to download and install all pre-requisites.

3.Click Next.

4. Read the licensing agreement carefully. Select „I accept the Licensing agreement‟ option and click Next.

5. If an installation of Microsoft SQL Server is not detected on the local machine, the SQL Server Express install is launched automatically. Select one of the following options:

 Download and install Microsoft SQL 2005 Express Edition  Use a remote instance of Microsoft SQL Server.

Click Next.

Screenshot 2 - Customer and License detail screen

6. Key-in your name and license key. If you are evaluating the product, leave the license key as default (i.e. „Evaluation‟) and click Next.

(33)

Screenshot 3 - Logon information screen

7. Key-in a user name and password of a domain administrator account and click Next.

8. Specify an alternative installation path or click Install to leave as default. 9. Click Finish.

For more information on launching GFI EventsManager for the first time, refer to

(34)

(35)

3 Getting Started

3.1 Introduction

What is a computer log?

A computer log is a collection of events entries. These entries provide an audit trail of information related to the activity of a network or computer system. In fact, computer logs are recorded in a certain scope to provide information suitable for forensic analysis. The computer log may be a binary file as in the case of Windows logs, or text-based files as in the case of Syslog or W3C logs.

What is a log?

An event is a log entry that provides information on something that occurred within a computer system or network. Such events include various details such as the date and time the event occurred and a related description. Event entries are often stored in chronological order to facilitate event browsing and forensic analysis.

What are Windows Event Logs?

Windows Event Logs are a systematic recording of computer related events that occurred within computer systems and networks running on Windows Operating Systems. In systems running on Windows 2000/XP/2003/VISTA, events are recorded and organized in 3 default event logs:

 Application log  Security log  System log.

Computers with specialized network roles such as domain controllers and DNS servers allow the logging of events to additional (default) logs such as:

 Directory service log  File Replication service log  DNS server log.

Windows Event Logs contain the following types of events:

Error - Error events indicate that a significant problem, such as loss of data or functionality has occurred. For example an Error event is recorded every time that a service or driver fails to load during startup.

Warning - Warnings indicate events that are not necessarily significant, but which may possibly cause future problems. For example, a Warning event is recorded every time that disk space runs low.

(36)

22  Getting Started GFI EventsManager manual Information - Information events describe the successful operation of an

application, driver, or service. For example, an Information event is recorded every time that a network driver loads successfully.

Success Audit - Success audit events indicate security access attempts that were successful. For example, a Success Audit event is recorded every time that a user successfully logs on to his Windows based workstation.

Failure Audit - Failure audit events indicate security access attempts that failed. For example, a Failure audit event is recorded every time that a user fails to access a network drive.

A sample of the information typically recorded in a Windows Event Log is shown below.

Screenshot 4 - Windows event log

What are W3C logs?

W3C logs are used mainly by web servers to log web related events including web logs. W3C logs are recorded in text-based flat files using any one of the two W3C logging formats currently available:

 W3C Common Log file format  W3C Extended Log File format.

(37)

The W3C common log file format was the first format to be released and to date it is still the default format used by a variety of popular web servers including Apache. There is however one downside - the information about each server transaction is fixed and does not provide for certain important fields such as referrer, agent, transfer time, domain name, or cookie information. To overcome this problem, the W3C Extended log file format was released. This newer type of log is in customizable ASCII text-based format, permitting a wider range of data to be captured. The W3C Extended log file format is the default log file format used by Microsoft Internet Information Server (IIS).

A sample of the information typically recorded in a W3C extended type log is shown below.

#Version: 1.0

#Date: 04-Sep-2009 00:00:00 #Fields: time cs-method cs-uri

00:34:23 GET /WebSRV/Pg_Snippet.html 12:21:16 GET /WebSRV/ Button_pg.html 12:45:52 GET /WebSRV/ Login_Pg.html 12:57:34 GET /WebSRV/ Error_msg.html What are Syslogs?

Syslog is the standard for logging messages, such as system events, in an IP network. The Syslog standard is most commonly used for the logging of events by computer systems running on UNIX and Linux as well by network devices and appliances such as Cisco routers and the Cisco PIX firewall. Syslog events are not directly recorded by applications running on the computer systems. Whenever an event is generated, the respective computer will send a small textual message (known as Syslog message) to a dedicated server commonly known as „Syslog server‟. The Syslog server will then save the received message into a log file. Syslog messages are generally sent as clear text; however, an SSL wrapper can be used to provide for a layer of encryption.

Syslog is typically used for computer system management and security auditing. While it has a number of shortcomings, its big plus is that Syslog is supported by a wide variety of devices and receivers. Because of this, Syslog can be used to

integrate log data from many different types of systems into a central repository using the Syslog server as a log aggregator.

The Syslog daemon handles the recording of Syslog messages/events in log files. The Syslog message is composed of two main parts:

1. The „header‟ which contains date/time information as well as the IP or computer name from where the message has originated.

2. The “message” which includes the program or subsystem name and the message itself, separated by a colon.

(38)

24  Getting Started GFI EventsManager manual The following is an example of a Syslog message:

Sep 4 10:10:10 10.245.2.11 foo[421]: this is a message from WebSRV

What are SNMP Traps?

SNMP Traps are used by network management systems to monitor network devices (such as routers, firewalls or switches) for conditions that require administrative attention. This includes monitoring device uptime, inventories of operating system versions and collecting interface information. SNMP enabled devices do not record event messages locally but instead these transmit event details to an SNMP Trap server which analyzes these occurrences and alert systems administrators on key events.

GFI EventsManager includes its own SNMP Trap server that captures SNMP messages and informs systems administrators of network device failures and other critical events. GFI EventsManager supports various versions of SNMP Traps including SNMP versions 1, 2 and 3 (the encoded version).

What are SQL Server audit logs?

Microsoft SQL Server generates event logs that allow the network administrator to monitor database activity. GFI EventsManager allows you to process the activity logs generated by day-to-day SQL Server operations such as server startup or on key events such as failed logons. Alerts can also be created when key events such as consecutive login failure is identified in Microsoft SQL Server audit logs.

(39)

3.2 Running GFI EventsManager for the first time

After installation, the GFI EventsManager console is launched automatically. To launch GFI EventsManager click Start ► All Programs ► GFI EventsManager ► Management Console.

Follow the steps outlined below to configure GFI EventsManager for first time use:

Figure 6: Running GFI EventsManager for the first time

3.3 Step 1: Configure the database backend

Set up the database backend on first launch of GFI EventsManager.

If you opted to install Microsoft SQL Server during the GFI EventsManager installation, the database backend required by GFI EventsManager will be set up automatically. You are therefore not required to manually create the database backend.

Screenshot 5 - Database backend alert displayed on Quick Start Dialog

An alert will appear at the bottom of the Quick Start Dialog indicating that you are required to configure a Microsoft SQL Server database backend. Select Click here… in the alert box to configure the Microsoft SQL backend database.

(40)

26  Getting Started GFI EventsManager manual Screenshot 6 - Database Options - Change database tab

To configure the SQL Server and database backend details: 1. Specify the name/IP of your SQL Server.

2. Key in a name for your database backend (e.g. EventsManager).

3. Select the authentication method used to connect to the SQL Server. If SQL Server authentication is selected, specify the login username and password.

4. (Optional) Click Validate database to check that the selected database exists and has the correct structure.

5. Click Advanced settings tab to select the language character and symbol support to be used.

6. Click OK to finalize settings.

Microsoft SQL server must have TCP port 1433 open to store events collected by GFI EventsManager. For more information, refer to

(41)

The account under which GFI EventsManager is running, requires read and write access privilege on the database. To enable these privileges:

1. Launch SQL Server Management Studio and from the Object Explorer, expand Security ► Logins. Check that the account to be used by GFI EventsManager is listed in the Logins folder.

If you are using Microsoft SQL Express, download the Microsoft SQL Server Management Studio Express from:

http://www.microsoft.com/downloads/details.aspx?familyid=C243A5AE-4BD1-4E3D-94B8-5A0F62BF7796&displaylang=en

Screenshot 7 – SQL Server Management – Logins folder 2. Right click the user and select Properties.

3. From the left panel, select Server Roles page and check that sysadmin is selected.

(42)

28  Getting Started GFI EventsManager manual Screenshot 8 – SQL Server Management – Login Properties dialog

(43)

3.4 Step 2: Launch events processing

You are now required to define the event sources i.e. the computers from which events will be collected.

Screenshot 9 - Quick Start Dialog

From the Quick Start dialog select one of the following options:

1. Process events - local computer: Start collecting events from the local computer, where GFI EventsManager is installed. For more information refer to

Processing events from the local computer section in this chapter.

2. Process events - local domain: Launch the Automatic network discovery wizard. This wizard will automatically search your network for event sources. For more information refer to Processing events from the local domain section in this chapter.

3. Process events - selected machines: Add event sources manually without using the wizard. For more information refer to Processing events from selected machines

4. Customize: Customize different types of events or different types of sources (e.g. Syslog and SNMP Trap processing).

(44)

30  Getting Started GFI EventsManager manual

3.4.1 Processing events from the local computer

To process event logs from the local machine:

1. From the Quick Start Dialog, click Process events - local computer. GFI EventsManager will start to collect events from the local machine immediately.

Screenshot 10 - Events processed from local machine

On completion, the number of events that have been processed is displayed in the information bar as illustrated in the screenshot above.

3.4.2 Processing events from the local domain

The Network discovery wizard searches the entire network for computers and servers. The will assist in adding network computers as GFI EventsManager event sources. To launch the Network discovery wizard:

1. From the Quick Start Dialog, click Process events - Local domain

The wizard can also be launched from Configuration ► Event Sources, right click All event sources and select Scan local domain.

(45)

If synchronization options are configured, Process events - Local Domain is disabled. For more information refer to Edit synchronization options section in this manual.

2. In the Welcome screen, click Next.

Screenshot 11 - Select the type of event source

3. The wizard enables you to search the local network for specific types of event sources. Select the type of event sources to add and click Next.

At least one event source type must be selected before proceeding to the next wizard dialog.

4. The wizard will automatically start to search for connected computers. On completion, click Next.

(46)

32  Getting Started GFI EventsManager manual Screenshot 12 - Select computers from result

All discovered machines are by default selected. If the wizard fails to login to a target machine, it is not selected.

5. To add a machine not selected by default, click the machine and a dialog will enable you to key-in alternative credentials. Click OK and Next.

(47)

3.4.3 Processing events from selected machines

Screenshot 13 - Process events from selected machines To collect event logs from selected machines:

1. From the Quick Start Dialog, click Process events - selected machines to launch the Add New Event Sources wizard.

2. Specify the name/IP of the new event source and click Add. Repeat until you have specified all the event sources to add to this group.

To import the list of event sources from a text file click Import button. To select event sources from a list, click Select button.

3. Click Finish to finalize settings. GFI EventsManager will collect events from the configured sources immediately.

(48)

34  Getting Started GFI EventsManager manual

3.5 Step 3: Analyze events and generate reports

3.5.1 Navigating the Quick Launch Console

You can now analyze the event information collected and generate reports based on the data gathered.

Screenshot 14 - GFI EventsManager Quick Launch Console

Launch Console link from the top right-hand corner of the

GFI EventsManager user interface. Table 3 below describes the options available in the Quick Launch Console.

Table 3 - Quick Launch Console options

Icon Description

Browse events

Access the built-in events and forensic tools that will help you to locate, analyze and filter key events. For more information refer to Event browsing chapter in this manual.

Generate reports

Access reporting features including instant/scheduled report generations and automated report distribution. For more information refer to Generating reports

(49)

Icon Description

View dashboard

Access GFI EventsManager status dashboard. This enables you to view graphical representations of the most important events collected and processed by GFI EventsManager. For more information, refer to Status monitoring section in this manual.

Customize

Customize GFI EventsManager settings, such as enabling Syslog, SNMP Trap processing, key events notifications, etc. For more information refer to Manage event

(50)

(51)

4 Event browsing

4.1 Introduction

The Event Browsing option allows you to access and browse processed or

unprocessed events/logs that are currently stored in the main or backup database.

Screenshot 15 - GFI EventsManager: Events Browser

Use the Events Browser for forensic analysis of events. All events accessible through the Events Browser are organized (by log type) in the following tabs:  Windows Events Browser

 W3C Events Browser  Syslog Events Browser  SNMP Traps Events Browser  Microsoft SQL Server Audit Browser

This way you can quickly access the events belonging to a particular log type. Event data is organized into columns, click a particular event to show additional information in a dedicated events description pane. The header color coding enables you to quickly identify the severity of the event.

(52)

38  Event browsing GFI EventsManager manual Screenshot 16 - Event details provided in the Events Browser

Windows events, descriptions are organized in two tabs accessible from the events description field:

 General tab - Contains events information in the legacy format that was standard for pre-Microsoft Windows Vista event logs.

 XML Data tab - Contains events information in the new XML based Microsoft Windows Vista format.

(53)

Use the link provided in the event description pane to access:  A more detailed description of the event

 Information and links that explain what causes this type of event  Hints and tips on how to possibly solve any existing issues.

The navigation tool bar allows you to navigate between pages, stop a query and configure the auto-refresh rate. To configure auto-refresh, click the refresh icon and select the required time interval.

Screenshot 17 – Configure auto-refresh

Event analysis is quite a demanding task; GFI EventsManager is equipped with specialized tools that simplify the search for specific events as well as enable the export of events to CSV files. These specialized tools include:

 An event filter/query builder  Event color-coding options  Event finder tool

(54)

40  Event browsing GFI EventsManager manual

4.2 Event filter/query builder

Use the event query builder to create custom filters that sift events data and display only the information needed. To filter event during browsing:

1. Click Events Browser tab and select the event browser required.

2. From the left pane select the required events filter (such as the Accounts Usage filter). Results will be displayed in the browser (right pane).

Screenshot 18 - Selecting a filter

4.2.1 Creating custom event queries

In GFI EventsManager, custom queries are added as a sub-node within the default queries that ship with the product. To create custom event queries:

1. Click Events Browser tab and select one of the following tabs:  Windows Events Browser

 W3C Events Browser  Syslog Events Browser  SNMP Traps Events Browser  Microsoft SQL Server Audit Browser

(55)

Screenshot 19 - GFI EventsManager: Events Browser

2. Right-click default query where the new event query will be created and select Create query…

(56)

42  Event browsing GFI EventsManager manual Screenshot 20- Custom query builder

3. Specify a name and a description for the new query.

4. Click Add, configure the required query condition(s) and click OK. Repeat until all required query conditions have been specified. For more information on field

operators refer to Field operator section in this manual. 5. Click OK to finalize your settings.

(57)

4.2.2 Create query from an existing event

GFI EventsManager allows the administrator to sort events automatically by creating custom queries. Each query has its own filtering criteria, and administrators can create a query by selecting a particular field from an existing event. The selected field will automatically be included in the filtering criteria. To automatically create a query based on a field:

1. Click Events Browser tab.

2. From the Queries list, select the type of query and the existing event.

3. Right click the field that will be included in the query builder, and click Create query from field.

4.2.3 View or Edit a custom query

The naming convention of the new query is Type equal <Field Selected>. To edit the query, right click the query and select Properties.

(58)

44  Event browsing GFI EventsManager manual Screenshot 22 – Create new query using the query builder

GFI EventsManager ships with pre-configured queries that can filter events without any configuration effort.

(59)

Screenshot 23 - Default and custom event queries

4.3 Event color-coding options

Use the event color-coding tool to tint key events in a particular color. This way the required events are easier to locate during event browsing. For example, you can create a query that shows events classified as Critical or High and at the same time color in red all Critical events having event ID 231.

Screenshot 24 – Color coding configuration

The configuration of color-codes is carried out through a dedicated query builder. To use the query builder click Advanced and configure the following options:

 The conditions that define which events must be colored  The colors to be used when showing these events.

(60)

46  Event browsing GFI EventsManager manual

4.3.1 Assigning a color-code to a specific event

Screenshot 25 - Assigning event color-codes

To assign a color code to a specific event:

1. Click Events Browser tab and select an events browser accordingly.

2. Select the Customize view option and from the right pane, select the Colors option.

3. Specify event filter parameters including the color to be applied to the sifted events.

4. Click Apply Color button to finalize your settings.

(61)

4.3.2 Assigning different color-codes to multiple events

To assign different color-codes to multiple events:

1. Click Events Browser tab and select an events browser accordingly.

2. Select the Customize view option. From the right pane, select the Colors option and click Advanced.

Screenshot 26 - Advanced Color Filter

3. Click Add button. Specify filter name and configure event filter parameters. 4. Click OK button to save filter settings.

5. Repeat until all required event filter conditions have been configured. Click OK to finalize your settings.

GFI EventsManager 2010 Manual